Sign of the times
- By Heather Harreld
- Feb 07, 1999
Now that Congress has passed legislation that will push agencies to the brink of the much-envisioned paperless government, federal users are focusing as never before on digital signature technology - a method of authenticating the identity of a person who has "signed" an electronic document and of ensuring that the contents of the document were not altered during transmission.
The law will require agencies to provide electronic forms to citizens, who will use emerging digital signature technology to securely submit the forms back to agencies. Agencies still need to re-engineer many business processes and settle pesky policy questions before diving into these new activities. But the market for technology to support those activities is exploding as vendors race for a share of the potentially massive amount of business in the federal arena, in which agencies accept 23 billion responses to 6,000 different forms every year.
Brian O'Higgins, executive vice president and chief technology officer of Richardson, Texas-based Entrust Technologies Inc., said the new legislation should create a massive federal market for products supporting the federal public-key infrastructure (PKI), which is a framework of laws and procedures addressing the use of digital signatures.
"It's going to be the killer application for PKI," O'Higgins said. "When there is some edict that says, 'Save paper,' that will drive huge applications."
But O'Higgins and others noted that potential pitfalls to smooth and quick adoption of digital signatures could delay progress. Some observers said the government lacks the resources to fully meet the requirements of the law, while others noted interoperability deficiencies in existing products.
Squeezed into the omnibus budget bill, the Government Paperwork Elimination Act charges the Office of Management and Budget with crafting guidelines to help agencies develop electronic versions of forms and accept "electronic signatures" on tax documents and other forms requiring a signature.
Richard Guida, champion for security on the Government Information Technology Services Board and chairman of the Federal PKI Steering Committee, is working on these guidelines for agencies, which are due in about a year.
He noted that while the legislation calls for the use of electronic signatures - a broad category of technology that could include personal identification numbers and passwords - most agencies will turn to digital signature technology to meet the requirements of the new law.
"The current products are very good for many applications," Guida said. "Clearly if you have a spectrum of applications, you're going to need the authentication technology that covers that spectrum. A digital signature capability can be used for multiple purposes."
While agencies have up to five years after OMB issues the guidelines to comply with the law, many already are exploring how to use digital signatures to secure electronic forms and other transactions.
Peter Alterman, director of operations at the Office of Extramural Research at the National Institutes of Health, said the Health and Human Services Department is studying the requirements of the law and developing plans to address them.
Within six to nine months, NIH plans to begin using electronic forms combined with digital signature technology for accepting research grant applications online and for transmitting information about the grants online, Alterman said. He added that the technology could be used for other applications that would allow doctors to fill out prescription forms online, ensure the privacy and security of medical records and facilitate procurements.
"We think of it as an enabling technology," Alterman said. "We figure we can save in the neighborhood of $1 million per year just for printing costs. I would love to be able to do procurements and contracts online; that would save hours and days and could save beaucoup bucks in penalty payments for vendors."
VeriSign Inc., based in Mountain View, Calif., has teamed with forms vendor UWI.Com on two deals with federal agencies eager to test technology geared toward integrating electronic forms and digital signature technology.
Nick Piazzola, vice president of VeriSign's Federal Markets Division, said the Internal Revenue Service plans to launch a pilot that will allow citizens to download a 1040 income tax form enabled with VeriSign digital signature capability, digitally sign the form and send it back to the IRS. And he said the Department of Veterans Affairs plans to use the VeriSign/UWI.Com offering to begin accepting electronic verifications of education requirements from students.
Piazzola said VeriSign hopes to tap into this market by offering a packaged solution that includes basic PKI features - including the signing and verification functions - integrated with a forms application and a back-end integration method to enable an agency to take information from a form and transfer it into a database for manipulation and storage.
VeriSign and Entrust recently inked agreements with forms vendor JetForm Inc. to offer products to help agencies comply with the law.
JetForm last month announced new World Wide Web forms designed to enable the public to file government forms over the Internet without downloading additional software or browser plug-ins. As part of this, JetForm will be offering government customers the option of integrating the forms product with digital signature capabilities from VeriSign and Entrust.
While VeriSign offers a packaged solution for agencies gearing up to meet the requirements of the new law, GTE CyberTrust, Needham Heights, Mass., is offering products and services to agencies on an a la carte basis to meet their unique needs.
For example, the CyberTrust Safekeyper product, which is used by the Treasury Department to sign electronic checks, supports high-assurance digital signature applications. The company's enterprise certification authority product, used for the government's primary intelligence network, allows agencies to issue and manage digital certificates, which contain the digital signatures.
Other companies, such as Digital Signature Trust Co., do not sell digital signature products but provide outsourced digital signature management services, such as setting and maintaining policies addressing who may receive a digital signature and what credentials they must provide before receiving such a signature. The company, formed in Salt Lake City by Zions First National Bank to assist in the Utah state government's search for a digital signature provider, purchases technology from other companies and offers to manage the issuance of digital signatures and to monitor their validity.
While there seems to be no shortage of companies offering the digital signature technology that, coupled with the more mature electronic forms technology, would allow agencies to meet the letter of the law, this market is too new to have developed products with widespread interoperability, said Robert Moskowitz, senior technical director of the International Computer Security Association.
"There has been an explosion in digital signature technology," Moskowitz said. "There's no way all these products can interoperate. There are products that are being sold to fix the problems of interoperability."
Interoperability problems exist in the software that generates the digital signatures, the software that monitors the validity of the signatures and the libraries used to process digital signatures, Moskowitz said. The solution to the problem, he suggested, will be for vendors to come together to formulate common standards and protocols and then to offer their products for testing so that users can be assured that their purchases will allow them to communicate with others throughout the government.
In addition to interoperability concerns, liability concerns and questions about how to validate signatures after long-term storage only recently have begun to be addressed by agencies.
Because agencies revoke the digital signatures of employees who have left the organization, managers are faced with the problem of how to validate a digital signature used years ago by employees who have no active digital signature accounts. Frank Ploof, the PKI project lead at the Energy Department's Lawrence Livermore National Laboratory, said lab officials are struggling with this dilemma.
In addition, Ploof said liability issues need to be addressed before the widespread use of digital signatures can be accomplished safely.
"Are the legal ramifications understood?" Ploof asked. "Is the risk understood? One has to look at each and every form and understand why it's being signed and understand the legal ramification of those signatures. Forms that are fairly low-risk lend themselves readily to digital signatures."
Others question the government's wherewithal to comply with the law. Patty Edfors, CyberTrust's director of government services, said agencies have faced several impediments to offering secure widespread electronic access to citizens, including Year 2000 conversion efforts, lagging resources and requirements for business process re-engineering.
"Agencies have to deal with [defining] what constitutes valid identity," Edfors said. "There are business requirements inside the agencies that haven't been worked out. The federal agencies are getting another requirement levied on them with no resources."
Entrust's O'Higgins noted that many agencies lack the skilled workers and funding needed to re-engineer their business processes to meet all the aspects of the mandate. "If deploying a PKI is tied up on automating a manual process, that could take years," he said.
But O'Higgins added that he expects the government's move into the world of digital signatures to happen swiftly once the effort gains momentum. "Once people make up their minds to do it, it's fairly quick to roll it out," he said.
Status: The Paperwork Elimination Act mandates that federal agencies provide electronic forms to the public and a secure method for transmitting completed forms back to the government. Observers believe agencies, which receive 23 billion forms a year, will turn to digital signature products to meet the law's requirements.
Issues: Although many observers believe the federal market for digital signature technology will explode within the next five years, they also express concerns about interoperability among vendors' products. Observers also said many agencies lack the resources to fully comply with the law and must first re-engineer their business processes before installing new products.
Outlook: Excellent. The congressional mandate ensures that agencies will be purchasing digital signature products within five years.